diff options
author | Mark Sapiro <msapiro@value.net> | 2011-10-13 21:06:31 -0700 |
---|---|---|
committer | Mark Sapiro <msapiro@value.net> | 2011-10-13 21:06:31 -0700 |
commit | 9d0b163d77434a4bc7fbc7e26c7ceeea781c1dc6 (patch) | |
tree | ec10bf6fc2052371f68834d53db0b3a2f7a0a54d /Mailman | |
parent | 38203d3a52d698b6b459e68063c471b35b9cc9e6 (diff) | |
download | mailman2-9d0b163d77434a4bc7fbc7e26c7ceeea781c1dc6.tar.gz mailman2-9d0b163d77434a4bc7fbc7e26c7ceeea781c1dc6.tar.xz mailman2-9d0b163d77434a4bc7fbc7e26c7ceeea781c1dc6.zip |
The fix for BUG #266220 (sf1181161) has been enhanced so that if there
is a pathological HTML part such that the Approved: password text isn't
found, but it is found after stripping out HTML tags, the post is
rejected with an informative message.
Diffstat (limited to '')
-rwxr-xr-x[-rw-r--r--] | Mailman/Handlers/Approve.py | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/Mailman/Handlers/Approve.py b/Mailman/Handlers/Approve.py index 9567325a..cfd76f46 100644..100755 --- a/Mailman/Handlers/Approve.py +++ b/Mailman/Handlers/Approve.py @@ -39,6 +39,16 @@ except NameError: NL = '\n' +def _(s): + # message is translated when used. + return s +REJECT = _("""Message rejected. +It appears that this message contains an HTML part with the +Approved: password line, but due to the way it is coded in the +HTML it can't be safely removed. +""") +del _ + def process(mlist, msg, msgdata): @@ -100,7 +110,8 @@ def process(mlist, msg, msgdata): # text part. We make a pattern from the Approved line and delete # it from all text/* parts in which we find it. It would be # better to just iterate forward, but email compatability for pre - # Python 2.2 returns a list, not a true iterator. + # Python 2.2 returns a list, not a true iterator. Also, there + # are pathological MUAs that put the HTML part first. # # This will process all the multipart/alternative parts in the # message as well as all other text parts. We shouldn't find the @@ -111,12 +122,18 @@ def process(mlist, msg, msgdata): # line of HTML or other fancy text may include additional message # text. This pattern works with HTML. It may not work with rtf # or whatever else is possible. + # + # If we don't find the pattern in the decoded part, but we do + # find it after stripping HTML tags, we don't know how to remove + # it, so we just reject the post. pattern = name + ':(\xA0|\s| )*' + re.escape(passwd) for part in typed_subpart_iterator(msg, 'text'): if part is not None and part.get_payload() is not None: lines = part.get_payload(decode=True) if re.search(pattern, lines): reset_payload(part, re.sub(pattern, '', lines)) + elif re.search(pattern, re.sub('(?s)<.*?>', '', lines)): + raise Errors.RejectMessage, REJECT if passwd is not missing and mlist.Authenticate((mm_cfg.AuthListPoster, mm_cfg.AuthListModerator, mm_cfg.AuthListAdmin), |